package com.smartinput.config

import com.smartinput.security.JwtAuthenticationFilter
import org.springframework.beans.factory.annotation.Value
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.http.SessionCreationPolicy
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
import org.springframework.security.crypto.password.PasswordEncoder
import org.springframework.security.web.SecurityFilterChain
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter


@Configuration
@EnableWebSecurity
class SecurityConfig(
    private val jwtAuthenticationFilter: JwtAuthenticationFilter
) {



    @Bean
    fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http
            .csrf { it.disable() }
            .cors { it.disable() }  // 禁用Spring Security的CORS配置
            .authorizeHttpRequests { auth ->
                auth
                    .requestMatchers(org.springframework.http.HttpMethod.OPTIONS, "/**").permitAll() // 全局放行OPTIONS
                    
                    // 公开接口 - 无需认证
                    .requestMatchers("/api/auth/login", "/api/auth/register", "/api/auth/test").permitAll()
                    .requestMatchers("/api/user/register").permitAll()
                    .requestMatchers("/actuator/health", "/actuator/info").permitAll() // 健康检查公开
                    .requestMatchers("/favicon.ico", "/error").permitAll() // 静态资源公开
                    
                    // WebSocket握手请求 - 允许通过，认证在WebSocket拦截器中进行
                    .requestMatchers("/ws", "/ws/**").permitAll()
                    .requestMatchers("/sse/**").permitAll()
                    
                    // 需要认证的接口
                    .requestMatchers("/api/auth/validate").authenticated() // token验证需要认证
                    .requestMatchers("/api/device/**").authenticated() // 设备管理需要认证
                    .requestMatchers("/api/user/**").authenticated() // 用户管理需要认证
                    .requestMatchers("/api/voice/**").authenticated() // 语音识别需要认证
                    .requestMatchers("/api/sync/**").authenticated() // 同步功能需要认证
                    .requestMatchers("/api/performance/**").authenticated() // 性能监控需要认证
                    .requestMatchers("/api/notifications/**").authenticated() // 通知功能需要认证
                    .requestMatchers("/api/statistics/**").authenticated() // 统计功能需要认证
                    .requestMatchers("/api/configuration/**").authenticated() // 配置管理需要认证
                    
                    // 其他actuator端点需要认证
                    .requestMatchers("/actuator/**").authenticated()
                    
                    // 默认所有其他请求都需要认证
                    .anyRequest().authenticated()
            }
            .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
            .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter::class.java)
        
        return http.build()
    }

    @Bean
    fun passwordEncoder(): PasswordEncoder {
        return BCryptPasswordEncoder()
    }
} 